Implement toggling CD flag when using a forwarder
When validating through a forwarder there are scenarios where successful resolution and validation requires re-querying with CD in the other state as there is not direct access to the authoritative servers.
If you start with CD=0 then on SERVFAIL from the forwarder you re-issue the query with CD=1 to accommodate the forwarder with out of date trust anchors or a bad clock.
If you start with CD=1 then on validation failure you re-issue the query with CD=0 to force the forwarder to discard responses from upstream (or that are cached without validation) that do not validate. A forwarder is supposed to treat answers that do not validate as having not arrived. This in turn should result in further upstream queries.